For much of the U.S. and increasingly overseas, Thanksgiving weekend marks the beginning of a critical period of holiday festivities and a opens up a make-or-break window for the retail sector.
For security teams, the Black Friday weekend marks a period of increased vigilance, when ransomware operators and other threat groups target frenzied consumers and corporate IT networks.
Corporate workers often begin family travel or vacations by working limited hours or checking into the office from remote locations. Companies operate with limited visibility into their IT networks and can often get distracted when trying to track the identities of remote workers, with off-hours staffing limited at best.
“Many security teams operate at reduced capacity during the holidays,” Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center, told Cybersecurity Dive. “However, this does not mean that networks are left undefended.”
Managing the perimeter
Managing security in the era of remote work has created additional challenges for companies for many years. Employees are often working from home, using personal computers or unapproved software. They might be sharing a computer network with multiple family members.
During the holiday season, those challenges are compounded, with workers accessing their corporate networks from remote locations and various time zones. This makes it more difficult for a security team to confirm the identity of an employee, a legitimate contract worker or a senior executive with high privileges.
Ransomware groups and other threat actors do most of their initial entry and reconnaissance activity during overnights, weekends or extended holiday periods, when security teams are distracted, operating with limited staff or otherwise unavailable.
A report released Monday by cybersecurity firm Semperis shows more than half of all ransomware attacks during the past 12 months took place over a holiday or weekend. The Semperis report, conducted by Censuswide, a London-based market research firm, is based on a survey of 1,500 IT and security professionals across the globe.
The respondents included IT security leaders in North America, the U.K., continental Europe and the Asia-Pacific region.
According to the report, about three of every four companies have an in-house security operations center. The report shows that eight out of every 10 companies reduce their staffing by 50% or more during weekends and holiday periods, which places them at greater risk of attack.
“During the holiday season, we know that most security teams are operating with reduced staff,” said Matt Brady, senior principal researcher in Unit 42 at Palo Alto Networks. “Unfortunately, cyber criminals are fully aware of this and they actively look to exploit those reduced coverage periods.”
Lessons from a long weekend
A social engineering attack against Marks & Spencer provided an example of the vulnerabilities present around a holiday. According to testimony before a subcommittee in the U.K. House of Commons, the damaging attack began on April 17, just days before Easter.
The attack led to more than $400 million in lost sales and costs for the British department store chain. The attack was one of the earliest events in a wave of attacks linked to the Scattered Spider cybercrime group. The entire retail sector suffered through months-long attacks that resulted in millions of dollars in lost revenue and customer data being compromised across multiple countries.
Officials at the Retail & Hospitality Information Sharing and Analysis Center said retailers take additional precautions to prepare for the holiday season.
“Many start reinforcing their defenses months in advance with comprehensive, company-wide security awareness programs, expanded phishing simulations and mandatory refresher training for frontline employees,” Pam Lindemoen, chief security officer and vice president at RH-ISAC, told Cybersecurity Dive. “They update and rehearse incident response plans, conduct more frequent and realistic tabletop exercises, and tighten access controls across critical systems.”
The Cybersecurity and Infrastructure Security Agency has not identified any specific threats related to the holiday season, but it said it is prepared to deal with any potential crisis.
“The holiday season indeed brings an increased risk of malicious actors exploiting vulnerable systems,” said CISA spokesperson Marci McCarthy. “This underscores the necessity of maintaining robust cybersecurity practices throughout the entire year, not just during high-alert seasons.”
Overnight encryption
Researchers from Google Threat Intelligence Group cautioned that ransomware activity does not necessarily surge during holiday periods, but said off-hours attacks do provide attackers the ability to get better access to data.
Zach Riddle, principal analyst at GTIG, said ransomware activity in December has previously seen slight decreases in activity. He even cites leaked chat information from hackers that use Black Basta ransomware, which shows the hackers taking a break between Christmas Eve and Jan. 15, which is the end of the Russian Orthodox Christmas holiday.
Riddle warned, however, that ransomware groups do use off-hours to encrypt targeted data. During 2024, hackers encrypted data between 6 p.m. and 8 a.m. in more than 70% of the cases the company responded to. In 30% of cases, encryption began on weekends.
“This is likely because actors target ransomware deployment outside of working hours to minimize detection and maximize impact,” Riddle told Cybersecurity Dive. “Conducting encryption during non-working hours may allow threat actors more time to complete their operation before the victim is able to identify and react to the incident, particularly when encrypting a large number of systems, which may take many hours.”